Defeating Counterfeiting and Tampering

The second major attack type against RFID systems has to do with cloning of tags. To achieve this the system must (1) guarantee data integrity (prove tag data has not been manipulated), (2) uniquely associate the tag data with the tag itself (prove the data has not been copied from the original tag to another tag) and (3) uniquely associate the data with the real-world object it is describing (prove the tag has not been peeled off the original object and relabeled to another one). One possible solution to these problems is the use of cryptographic hash functions or digital signatures. The advantage of this approach is that no resources are required on the tag to calculate or verify these signatures. All computationally expensive operations can be carried out in a dedicated appliance inspecting all inbound and outbound RFID traffic.

To detect data manipulations a digital signature (e.g. based on a Hash Message Authentication Code or HMAC) must be calculated over the data stored on the tag. The signature should not only take the writable tag data into account but also a data field that is unique to the tag (e.g. an unchangeable tag ID as is common for ISO 15693 tags and also available for certain EPC tags). Ideally, the digital signature should also be associated with a third piece of data, some kind of "finger-print" or object ID, which is unique to the object or product the tag data is describing (e.g. spectrographic analysis, precise weight or form factor). By calculating a single digital signature over the aggregate of these three data sets (tag data, tag ID and object ID) we can establish data integrity and also establish a trusted link between tag data and tag as well as tag data and object, addressing all three problems described above at the same time.

If there is sufficient user memory available on the tag, the digital signature can be stored directly on the tag (Offline Crypto System, Solution 2) or if this is not the case the signature can be stored in a separate signature database (Online Crypto System, Solution 3).

Offline Crypto System

The first time the tag is written, e.g. at the manufacturing site, the digital signature is calculated. This can be achieved using an architecture similar to the one shown in diagram 3: An appliance deployed right in front of the reader intercepts the write operation initiated by the back-end, calculates the signature and either injects the signature into the tag write process or stores it in a separate database.

Once the product has been shipped and arrives at a distribution center or warehouse, a second installation of the same appliance now reads the tag along with its associated signature. The solution follows the same algorithm to re-calculate the signature and finally compares the two signatures. If they are identical, tag data integrity has been established. If they are not, the tag data has been cloned or modified.

Both, the online and offline crypto solutions implement the same digital signature / HMAC algorithms which all rely on a shared secret key. This requires careful key manage management: The secret key could be stored either directly inside the RFID security appliance in a protected memory area (low-end solution), in a trusted platform module (TPM), providing a higher level of security, or using a hardware security module (HSM) as a dedicated crypto server providing the highest level of security.

The Offline Crypto System (Solution 2) requires that each instance of the RFID security appliance has its own key storage; the Online Crypto System (Solution 3) on the other hand performs all key management at a single location. This is generally considered to be more secure but it requires a reliable VPN communication link between each instance of the RFID security appliance in the field and the global crypto server which is often impractical.

Online Crypto System

NeoCatena provides solutions suitable for implementing an Online or Offline Crypto System as outlined above offering various options for HMAC algorithms and key management. The solution is implemented as a dedicated appliance intercepting all data communication between reader and back-end initiating the necessary signature calculation, storage and validation operations.

Any security solution should be tailored to the specific requirements of a given system, so that the security level provided is adequate for the application at hand. An RFID security solution is no exception from this rule. For example, a basic protection level can be provided by implementing Solution 1 alone, while a higher level of security is offered by an implementation consisting of Solution 1+2 or Solution 1+3.